Web Push: what is VAPID (applicationServerKey)?

If you are adding web push notifications to a website, you will probably hear about VAPID. Let’s see what it is and why it’s useful.

VAPID means “Voluntary Application Server Identification” for Web Push and is defined by RFC 8292.

This protocol has been added to Web Push as a separate standard after some years, in order to add an additional layer of security.

How it works

Basically, when you subscribe a user to the notifications, you can also pass a public key (cryptographic key) to the browser. Then all the notifications will need to be signed with the private key.

These are the exact steps:

  1. the website backend generates and stores in its own database a public key and private key (which will be called VAPID keys)
  2. the website frontend calls PushManager.subscribe(options) (documentation) to subscribe the user to notifications and the options include an applicationServerKey, which is the public key downloaded from server
  3. if the user accepts to receive the notifications (permission prompt), the browser needs to contact its own push service to generate a new push subscription
  4. the new push subscription returned by the browser to the website is associated to that VAPID public key
  5. the push subscription can be used only if you have the VAPID private key: you will need to sign all the future notifications sent from your backend (application server) with the VAPID private key.

Why it is useful

VAPID is useful mainly for two reasons:

  • it adds an additional layer of protection to the subscriptions, since they can only be used by someone who has the VAPID private key (in general a website must keep all the push subscriptions secret, however VAPID adds another key that is needed to send messages to those subscriptions)
  • it makes possible for a web application to add contact information to the push messages sent to the browser push service (i.e. when you send a notification, you can include your email or another contact in the headers, and sign that with the VAPID private key, so that the push service can contact you in case of need or can provide you with additional debug information about your push messages).

How to implement VAPID

You can read more about VAPID in this article from Mozilla or read the standard. Also note that many libraries for Web Push support VAPID: you just need to pass the VAPID private key when you send a notification in order to sign it.

Alternatively you can use Pushpad, which is a service provider for web push notifications that supports VAPID.

Pushpad manages all the VAPID authentication for you, automatically. You don’t have to worry about the technical details and you can used a solid solution that has been in production for years.

Pushpad can generate the VAPID keys for you (automatically) or you can import / export them.

Unlike other push services, Pushpad generates a different VAPID key pair for each website, which is more secure and allows customers to export their own VAPID keys at any time (no lock-in).

Leave a Comment